Remove password aging

[alejandro-colomar]

I intend to remove it in 4.21, and deprecate in 4.20.

Passwords should never expire. It has been proved to decrease password safety.

The following features and/or programs will be deprecated in 4.20, and removed in 4.21:

• expiry(1)
• chage(1):
  • -I,--inactive (also the interactive version)
  • -m,--mindays (also the interactive version)
  • -M,--maxdays (also the interactive version)
  • -W,--warndays (also the interactive version)
• passwd(1):
  • -k,--keep-tokens
  • -n,--mindays
  • -x,--maxdays
  • -i,--inactive
  • -w,--warndays
• useradd(8):
  • -f,--inactive
• usermod(8):
  • -f,--inactive
• login.defs(5):
  • PASS_MIN_DAYS
  • PASS_MAX_DAYS
  • PASS_WARN_AGE
• /etc/default/useradd:
  • INACTIVE
• shadow(5):
  • sp_lstchg: Restrict to just the values 0 and empty.
  • sp_min
  • sp_max
  • sp_warn
  • sp_inact

Distros should make sure to remove those 3 values from login.defs(5) ASAP. That will make sure that the transition from 4.20 to 4.21 will be smooth. These programs will fail if such a configuration is specified in 4.21.

Cc: @stoeckmann , @thesamesam , @floppym , @jubalh , @ikerexxe , @zeha , @hallyn

---

Here are some statistics of the PR:

$ COLUMNS=999 git diff --stat master..HEAD \
| grep '^ [^ ]' \
| tr / ' ' \
| awk '{print $1}' \
| sort \
| uniq \
| while read -r f; do
        echo $f;
        git diff --stat master..HEAD -- $f \
        | tail -n1;
done;
1533
configure.ac
 1 file changed, 3 deletions(-)
doc
 1 file changed, 3 insertions(+), 8 deletions(-)
etc
 1 file changed, 6 deletions(-)
lib
 10 files changed, 18 insertions(+), 220 deletions(-)
man
 35 files changed, 6 insertions(+), 1371 deletions(-)
po
 1 file changed, 2 deletions(-)
src
 12 files changed, 54 insertions(+), 1432 deletions(-)
tests
 1472 files changed, 18 insertions(+), 32517 deletions(-)

---

Here's what NIST and Microsoft say about this:

NIST
   NIST SP 800-63-3
       In 2017-06, NIST (National Institute of Standards and Technology)
       published NIST SP 800-63-3 <https://pages.nist.gov/800-63-3/> (Digital
       Identity Guidelines), which —among other documents— contained
       NIST SP 800-63B <https://pages.nist.gov/800-63-3/sp800-63b.html>
       (Authentication and Lifecycle Management).

       This 3rd revision of NIST SP 800-63 superseded NIST SP 800-63-2
       <https://csrc.nist.gov/pubs/sp/800/63/2/final> (Electronic
       Authentication Guideline), from 2013-08, which was withdrawn in
       2017-06-22.

       NIST SP 800-63B recommended in §5.1.1.2
       <https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver>
       (Memorized Secret Verifiers), paragraph 9, that passwords should not
       expire periodically.

              Verifiers SHOULD NOT require memorized secrets to be changed
              arbitrarily (e.g., periodically).  However, verifiers SHALL
              force a change if there is evidence of compromise of the
              authenticator.

       NIST SP 800-63-3 was amended in 2020-03-02, but didn't change this
       recommendation.

   FAQ
       In 2017-07, NIST published a FAQ page
       <https://pages.nist.gov/800-63-FAQ/> clarifying doubts about
       NIST SP 800-63.

       In 2018-04-30, an entry clarifying §5.1.1.2 was added
       <https://github.com/usnistgov/800-63-FAQ/commit/9a87d495088d>.

       That entry is currently numbered as B05
       <https://pages.nist.gov/800-63-FAQ/#q-b05> and contains the following
       text.

              Q-B05: Is password expiration no longer recommended?

              A-B05: SP 800-63B Section 5.1.1.2 paragraph 9 states:

                            “Verifiers SHOULD NOT require memorized secrets to
                            be changed arbitrarily (e.g., periodically).
                            However, verifiers SHALL force a change if there
                            is evidence of compromise of the authenticator.”

                     Users tend to choose weaker memorized secrets when they
                     know that they will have to change them in the near
                     future.  When those changes do occur, they often select a
                     secret that is similar to their old memorized secret by
                     applying a set of common transformations such as
                     increasing a number in the password.  This practice
                     provides a false sense of security if any of the previous
                     secrets has been compromised since attackers can apply
                     these same common transformations.  But if there is
                     evidence that the memorized secret has been compromised,
                     such as by a breach of the verifier’s hashed password
                     database or observed fraudulent activity, subscribers
                     should be required to change their memorized secrets.
                     However, this event-based change should occur rarely, so
                     that they are less motivated to choose a weak secret with
                     the knowledge that it will only be used for a limited
                     period of time.

   NIST SP 800-63-4
       In 2025-07, NIST published a new revision of the Digital Identity
       Guidelines: NIST SP 800-63-4 <https://pages.nist.gov/800-63-4/>, which
       —among other documents— contains NIST SP 800-63B-4
       <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63B-4.pdf>
       (Authentication and Authenticator Management).

       This 4th revision of NIST SP 800-63 superseded NIST SP 800-63-3
       <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf>,
       which was withdrawn in 2025-08-01.

       NIST SP 800-63B-4 is more strict than NIST SP 800-63B-3 regarding
       password expiration, and in §3.1.1.2
       <https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver>, prohibits
       periodic password expiration.

              6.  Verifiers and CSPs SHALL NOT require subscribers to change
                  passwords periodically.  However, verifiers SHALL force a
                  change if there is evidence that the authenticator has been
                  compromised.

Microsoft
       Some corporations have changed their security policies similarly.

       In 2019, Microsoft released version v1903 of Windows 10.  With it, it
       also published the Security baseline (FINAL) for Windows 10 v1903 and
       Windows Server v1903
       <https://learn.microsoft.com/en-us/archive/blogs/secguide/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903>.

       That publication drops periodic password expiration from their policy.

              •  Dropping the password-expiration policies that require
                 periodic password changes.  This change is discussed in
                 further detail below.

---

See also:

• https://pages.nist.gov/800-63-FAQ/#q-b05
• https://learn.microsoft.com/en-us/archive/blogs/secguide/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903

---

Revisions:

v2

• Only remove some features of chage(1), but not the entire program.
• Keep support for sp_lstchg == 0.
• Keep passwd(1) -e.